Authors

Topics

No Harm, No Fowl: Chicken Farm Inappropriate Choice for Data Disposal

Here’s a piece of simple, practical advice: when you’re choosing a contractor to dispose of your organization’s personal information, go with a credentialed expert, and not a bunch of chickens.

That’s a lesson that Spruce Manor Special Care Home in Saskatchewan had to learn the hard way (as surprising as that might sound). As a trustee with custody of personal health information, Spruce Manor was required under section 17(2) of the Saskatchewan Health Information Protection Act to dispose of its patient records in a way that protected patient privacy. So, when Spruce Manor chose a chicken farm for the job, it found itself the subject of an investigation by the Saskatchewan Information and Privacy Commissioner. In what is probably one of the least surprising findings ever, the commissioner wrote in his final report that “I recommend that Spruce Manor […] no longer use [a] chicken farm to destroy records”, and then for good measure added “I find using a chicken farm to destroy records unacceptable.”

I find using a chicken farm to destroy records unacceptable.

What did Spruce Manor hope the chickens would do with their data? The report doesn’t say. But here at Cyberlex we’re willing to venture a guess (though this is pure speculation): the chicken farmers may have intended to use Spruce Manor’s patient records to line its chicken coops.

McCarthy Tétrault does not take a position on best practices in chicken bedding. McCarthy Tétrault does, however, have some thoughts on preferred practices for hiring a data disposal company:

Answer honestly: is your organization capable of securely destroying all of its sensitive information on-site? Destroying personal information in a way that satisfies regulatory requirements requires special tools and methods: paper needs to be shredded, data needs to be securely (and permanently) deleted, and hard drives need to be degaussed. (For more details, private organizations can look to the OPC-recommended National Institute of Standards and Technology’s Guidelines for Media Sanitization). If your organization can’t do it all – or can’t do it right – hiring a specialized company may be appropriate.

Choose a credentialed contractor that follows appropriate protocols. When it comes to securely destroying your organization’s personal information, not just any chicken farm will do. A data disposal company that you hire should, among other things, take appropriate safeguards to ensure that the data you’ve entrusted to it remains secure, that unauthorized individuals don’t have access to it, and that nothing goes missing from the time they collect the records to the time they’re destroyed. A good way to be certain that the company you hire follows best practices is to verify that they’re a member in good standing of NAID-Canada, the National Association for Information Destruction.

Draft an appropriate contract. When it comes to destroying records containing personal information, a third party is your organization’s delegate – they may be doing the job, but the responsibility ultimately rests on your organization. A proper contract with a data disposal company will help ensure that your organization meets its compliance requirements, and should specify how the company will keep the records secure before they’re destroyed, the exact (and appropriate) disposal method, and the time frame for disposal – to make certain that the personal information doesn’t sit around indefinitely. Be sure to include auditing and monitoring clauses to be certain that the company maintains quality control.

The takeaway? Destroying personal information often requires as much thought and care as keeping it. When in doubt, hire the experts.